Control: tags -1 confirmed On 02.01.2017 18:00, Emmanuel Bourg wrote: > Hi Karten, > > Thank you for the report. > > It looks like the patch for CVE-2016-6816 applied in 7.0.28-4+deb7u7 is > incomplete. The patch removes the AstAttribute class but > SecurityClassLoad still attempts to load it (along with other classes in > the same package, also removed). > > This issue is specific to the version of tomcat7 in Wheezy, in Jessie > the AstAttribute class no longer exists.
Hi Karsten, thanks for the report and thanks to Emmanuel for the analysis. @Karsten I have uploaded some new binary packages of Tomcat7 to https://people.debian.org/~apo/wheezy-lts/tomcat7/ Could you test them on your system and report back if it works for you? There is also a tomcat7.debdiff which you just need to apply to the source package, if you want to build everything from source. Regards, Markus
signature.asc
Description: OpenPGP digital signature